Click here to load reader

Intrusion Detection Systems with Snort

  • View

  • Download

Embed Size (px)


Intrusion Detection Systems with Snort. Hailun Yan 564-project. Outline. IDS category Installation Procedure Components of Snort Most frequently used functions Testing of Snort/ACID. Components of Security System. A security system consists: Firewalls Intrusion detection systems (IDS) - PowerPoint PPT Presentation

Text of Intrusion Detection Systems with Snort

  • Intrusion Detection Systems with SnortHailun Yan564-project

  • OutlineIDS categoryInstallation ProcedureComponents of SnortMost frequently used functionsTesting of Snort/ACID

  • Components of Security SystemA security system consists:FirewallsIntrusion detection systems (IDS)Vulnerability assessment tools

  • Category of IDSNetwork Intrusion Detection System (NIDS)Listens & analyses traffic in a networkCapture data packageCompare with database signaturesHost-based Intrusion Detection System (HIDS) Installed as an agent of a hostListens & analyses system logs

  • Snort-based IDS

  • Single Sensor IDS

  • Multiple Sensor IDS

  • InstallationSnort can be download from http://www.snort.orgSupported platform includes:LinuxFreeBSDOpenBSDSolarisAIXHP-UXMacOSWindows

  • Installation (Cont.)Pre-installationZlib1.2.1 LibPcap0.7.2 MySQL4.0.15 Apache2.0.52 PHP4.3.3

  • Installation (Cont.)Install Snort#> tar xzvf snort-2.2.0 .tar.gz#> cd snort-2.2.0#> ./configure with-mysql=/usr/local/mysql#> make#> make install

  • Installation (Cont.)Install rules and configuration file#> mkdir /etc/snort#> mkdir /var/log/snort#> cd rules#> cp * /etc/snort#> cd ../etc#> cp snort.conf /etc/snort#> cp *.config /etc/snort

  • Installation (Cont.) Snort Configuration (in snort.conf)var HOME_NET var RULE_PATH /etc/snort/output database: log, mysql, user=snort password=xxx dbname=snort host=localhost

  • Installation (Cont.)Setting Up The Database In MySQL mysql> set password for [email protected]=password(xxx);mysql> create database snort;mysql > grant insert, select on root,.* to [email protected];mysql> set password for [email protected]=password(xxx);mysql> grant create, insert, select, delete, update on snort.* to [email protected];mysql> grant create, insert, delete, select, update on snort.* to snort;mysql> exitshell> /usr/local/mysql/bin/mysql u root p < ./contrib./create_mysql snortEnter password: xxx

  • Installation (Cont.)To display alert massages generated by Snort in a web browserAnalysis Console for Intrusion Detection (Acid) JPGraph ADODB

  • Check to See If Everything Is Working #> /usr/local/apache/bin/apachectl start#> /usr/local/mysql/bin/mysqld_safe & #> /usr/local/bin/snort c /etc/snort/snort.conf D #> ping

  • Output on ACID

  • Components of SnortA Snort-based IDS contains the following components:Packet DecoderPreprocessorsDetection EngineLogging and Alerting SystemOutput Modules

  • Packet DetectorTakes packets from different types of network interfaces Send the packets to the preprocessorSend the packets to the detection engine

  • PreprocessorHackers use different techniques to fool an IDS Exact match: You created a rule to find a signature httpd/conf in HTTP packets, a hacker can easily fool you by modifying the string as httpd/./conf or httpd../httpd/conf. A preprocessor can rearrange the string so that it is detectable by the IDS. Packets fragmentation: Hackers can use fragmentation to hide a signature into several small units to fool the IDS. A Preprocessor can reassemble these small units first and send the whole packet to the detection engine for signature testing.

  • The Detection EngineIts responsibility is to detect if any intrusion activity exists in a packet. It can dissert a packet and apply rules on different parts of the packet. The IP header of the packetThe Transport layer header: e.g. TCP, UDP.The application layer level header: e.g. DNS, FTP, SNMP, and SMTPPacket payload: you can create a rule to find a string inside the data.

  • Logging and Alerting SystemThe captured packet may be used to log the activity or generate an alert. Logs are kept in simple text files tcpdump-style files some other form log files are stored under /var/log/snort folder by default use l parameter to modify the log location

  • Output ModulesDepending on the configuration, output modules can do things like the following:Simply logging to /var/log/snort/alerts fileSending SNMP trapsSending messages to syslog facilityLogging to a database like MySQL or Oracle. Generating XML outputModifying configuration on routers and firewallsSending Server Message Block (SMB) messages to Microsoft Windows-based machines

  • Components of Snort

  • Snort ModesSnort operates in two basic modes: Sniffer modeLog packages into log filesLog files can be analyzed by tcpdump, snort etc.Simillar tools includes tcpdump, snoop etc.NIDS mode Rule-based IDSGenerate alerts and saved into databaseAnalyzed by ACID software package

  • Sniffing Mode#> snort -v

  • Sniffing Mode (Cont.)Ctrl+C, generate statistics before exiting Snort

  • Sniffing Mode (Cont.)Parameter e allows Snort to capture layer 2 packets#> snort -ve

  • Sniffing Mode (Cont.)Parameter d allows Snort to capture payload information#> snort -vd

  • Network Intrusion Detection ModeIt does not log each captured packet It applies rules on all captured packets It read the configuration file snort.conf and all other files included in it before start

  • Structure of A RuleA Snort rule is divided into two parts:rule headerinformation about what action a rule takes criteria for matching a rule against data packets

    rule options

Search related